Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for operating on an Ethernet data packet to provide an enterprise networking environment over a service provider network, comprising the steps of: encrypting the Ethernet data packet according to an Ethernet encryption protocol to form an encrypted Ethernet data packet; applying a security association policy to the encrypted Ethernet data packet; applying an MPLS protocol to the encrypted Ethernet data packet to provide a Virtual Private LAN Network (VPLS) service to the enterprise; forwarding the encrypted Ethernet data packet according to MAC learning and aging functions provided by the VPLS service; wherein encrypting the Ethernet data packet and applying the security association policy are performed by a Policy Enforcement Point (PEP); and wherein applying the MPLS protocol and forwarding the encrypted Ethernet data packet are performed by a provider edge router.
2. The method of claim 1 , additionally comprising the step of receiving the security association from a network overlay that is responsible for distributing the security policy and the encryption key to the PEPs.
3. The method of claim 2 wherein the network overlay additionally comprises: a security policy layer; and an encryption key layer.
4. The method of claim 3 wherein the security policy layer is provided by a Management and Policy (MAP) server and the encryption key layer is provided by a Key Authority Point (KAP) server.
5. The method of claim 4 wherein one outbound encryption key is provided for each PEP site that becomes the inbound encryption key for the other PEP sites.
6. The method of claim 4 further comprising the following steps: generating one key; and distributing the same key both for inbound traffic and outbound traffic for each associated PEP.
7. The method of claim 1 , further comprising the steps of: maintaining the original MAC address header in the Ethernet data packet in the clear; and encrypting the Ethernet payload of the Ethernet data packet.
8. The method of claim 1 , further comprising the steps of: providing resiliency, by connecting two or more CEs to two or more PEs.
9. The method of claim 8 wherein two PEs are controlled by different service providers.
10. The method of claim 8 wherein the method provides for full mesh connectivity between n sites, where n is greater than 2, enterprise sites is provided by only 2 security associations.
11. A system for operating on an Ethernet data packet to provide an enterprise networking environment over a service provider network, the system comprising: a customer edge (CE) router, located within the enterprise network, configured to provide the Ethernet data packet; a Policy Enforcement Point (PEP) communicatively coupled to the CE router, the PEP configured to: encrypt the Ethernet data packet according to an Ethernet encryption protocol to form an encrypted Ethernet data packet; and apply a security association policy to the encrypted Ethernet data packet; a provider edge router communicatively coupled to the PEP and located within the service provider network, the provider edge router configured to: apply an MPLS protocol to the encrypted Ethernet data packet having a security association policy to provide a Virtual Private LAN Network (VPLS) service to the enterprise; and forward the data packet according to MAC learning and aging functions provided by the VPLS service.
12. The system of claim 11 wherein the PEP is further configured to receive the security association from a network overlay that is responsible for distributing the security policy and the encryption key to the PEPs.
13. The system of claim 12 wherein the network overlay further comprises: a security policy layer; and an encryption key layer.
14. The system of claim 13 wherein the security policy layer is provided by a Management and Policy (MAP) server and the encryption key layer is provided by a Key Authority Point (KAP) server.
15. The system of claim 14 wherein one outbound encryption key is provided for each PEP site that becomes the inbound encryption key for the other PEP sites.
16. The system of claim 14 wherein the KAP is configured to: generate one key; and distribute the same key both for inbound traffic and outbound traffic for each associated PEP.
17. The system of claim 11 wherein the PEP is further configured to maintain the original MAC address header in the Ethernet data packet in the clear; and encrypt the Ethernet payload of the Ethernet data packet.
18. The system of claim 11 , further comprising two or more CEs operable in communication with two or more PEs for providing resiliency.
19. The system of claim 18 wherein two PEs are controlled by different service providers.
20. The system of claim 18 wherein the network includes full mesh connectivity between n sites, where n is greater than 2, enterprise sites is provided by only 2 security associations.
Unknown
January 4, 2011
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.